I recently read a very interesting paper, the 2017 Synopsis CISO report.
I found it very thought provoking, particularly in the way that CISOs, or organisations, have been grouped into 4 tribes, based on their outlook on Security.
I wondered whether anyone else here had read it, or whether there are any other good resources available, perhaps books or other research, on the topic of assessing the security culture of an organisation.
I have worked at over 40 organizations in my IT/Security career as a long-time consultant and contractor. I tend to rate my experiences with organizations on a maturity model like CMMI.
I am currently at a level 0 organization and I have been there before. Now typically you rate applications, functions, tasks, etc for maturity and not the whole organization, but it is just a shortcut in my mind, so hopefully I don't offend anyone with this conceptualization.
A level 0 organization has numerous functions sub-ad hoc. Meaning not only do they not have consistent or documented processes, but they often have no idea how to even find their equipment and no one to admin them if they do. SCARY!!
But I take these jobs primarily to help them dig out of these holes as a program manager.
Here's what I have seen in my last 3 gigs as a cybersecurity program manager contractor:
I guess I am saying I find these truths to be recurring across numerous organizations and culture-types. Private and public, large and small, mature and immature.
Good stuff Ravenshroud,
Have you worked at any Level 4 or 5 firms and was that enjoyable?
Or does the satisfaction come from helping organisations to step up in their level of maturity?
Well of course there really is no level 5, as level 5 is a temporary state given the changing goals, particularly security and privacy goals, these days.
Even level 4 is very challenging to reach.
I managed the largest technical team for Dell's largest services customer a few years back and I created a report for my executive director that showed how many people would be required to keep different technologies at different maturity levels.
But here is the problem....
IT staffing at organizations tends to be kept at KTLO-levels (Keep the Lights On) or just above it. It is very hard to get past level 2 with that mentality and budget.
Security staffing, I am finding, is ramping up quickly but because there are so many vectors of attack, it is hard to keep 20 tools online and optimized. (Firewall, IDS/IPS, Vulnerability Scans, Antivirus, heuristics engines (FireEye, Carbon Black, etc), application scanners, patch management, email security gateways, web browser gateways, PIM, etc. etc.) and this doesn't include compliance or risk management.
Level 3 maturity should be everyone's goal for critical technologies (business or IT). Level 2 is good enough with limited staffing for everything else. Level 4 and 5 are stretch goals when staffing is accessible.
I am finding global organizations saving money by hiring in Poland, Columbia, Malaysia, Bangladesh, etc. Those companies are going to have a real advantage once they ramp up their staff, if they can hold onto them!